CVE-2026-20253

Critical · CVSS 9.8

Splunk Enterprise — Missing Authentication for Critical Function (CWE-306) - Unauthenticated arbitrary file create/truncate via PostgreSQL sidecar service endpoint, leading to pre-auth RCE

CVSS: 9.8; nvd
EPSS: 1.68%; 74th pct
KEV: No
Class: other; CWE-306

Description

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Search profile — drives PoC discovery

Symbols PostgreSQL sidecar servicesidecar service endpointfile createfile truncateSVD-2026-0603postgresql sidecarunauthenticated file operationsplunk postgres sidecar

Keywords CVE-2026-20253Splunk EnterprisePostgreSQL sidecarunauthenticatedpre-auth RCESVD-2026-0603arbitrary file creationfile truncatewatchTowrmissing authenticationCWE-306Splunk sidecar service exploitSplunk 10.2 vulnerability

Versions: 10.2.0 < 10.2.4, 10.0.0 < 10.0.7

Candidate PoCs (3) — discovered, not yet vetted or ranked

watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253
nomi_sec

★ 8
0xBlackash/CVE-2026-20253
nomi_sec

★ 1
HORKimhab/CVE-2026-20253
nomi_sec

★ 0

Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.

References

Status: enriched · ingested 2026-06-15T18:00:58.000Z · profiled 2026-06-16T18:19:23.017Z